Queries for the SentinelAudit table

For information on using these queries in the Azure portal, see Log Analytics tutorial. For the REST API, see Query.

Failures updating Office365-Sharepoint related Sentinel resources

Display audit logs of failed attempts to update Office365-Sharepoint related Sentinel resources, with an optional filter by caller name and workspace id.

SentinelAudit
//| where WorkspaceId == "<WorkspaceId>"  // to filter on a specific WorspaceId, uncomment this line
| extend CallerName = tostring(ExtendedProperties.CallerName)
// | where CallerName startswith "<userName>" // to to filter on a specific user, uncomment this line
| where Status == "Failure"
| where SentinelResourceName has "Office365-Sharepoint"
| limit 100